Essay: Risk Management Auditing

Risk Management auditing is one type of internal audit.

Since the 2008 financial crisis arises, regulatory and economic pressures and problems are forcing organizations to do more risk management auditing. When conducting enterprise wide risk assessments, pursue strategic opportunities in a risk effective manner, increase the effectiveness of risk mitigation efforts, and focus on a more holistic approach to risk management.

For example, in Europe, and particularly in France, internal control failures severely impacted Airbus Industrie (a subsidiary of the EADS group) in 2006 and Socit Gnrale in 2008. Both cases marked the need for organizations to manage their internal control and risk management systems more effectively. In the case of Airbus Industrie, the fact that a two-year production delay on the new Airbus A380 went undetected was a clear sign of internal control dysfunction. In the case of Socit Gnrale, the fact that for nearly a year the trader Jrome Kerviel was able to invest tens of billions of Euros unbeknownst to either external or internal auditors was also a sign of internal control failure. (Elise Vincent, 2008)

In the aftermath of such developments and, on a larger scale, the Enron, WorldCom, and Parmalat scandals, measures have been taken to reestablish investor confidence. Among them, a new series of norms, such as the Sarbanes-Oxley Act (SOX) and its international equivalents (for instance, the Law of Financial Security (LFS) in France), have compelled companies to ‘institutionalize’methods for managing risks and achieving entity objectives.3.
(Committee of Sponsoring, 2004)

According to Paul DiMaggio and Walter Powell, ‘institutionalization’ is the process by which social processes take on the status of rules governing corporate thought and action.4 These new regulations have had tremendous impact on management practices of late. Combined with the climate of economic crisis, such changes have fuelled intense interest in internal control and risk management systems. (Paul J. Dimaggio and Walter Powell, 1991)

It has two type of risk facing by organization, one is Audit risk and another is business risk.

Audit risk: It is a function of the risk of materials misstatements, or simply the risk that the financial statements are materially misstated prior to audit.

Business risk: A risk resulting from significant conditions, events, circumstances, actions or inactions that could affect an entity’s ability to achieve the organization’s objectives and execute its strategies or setting of inappropriate objectives and strategies.

Types of Business Risk:-

External Environment Risks ‘ threats from broad factors external to the business
including substitute products, catastrophic hazard loss, and changes in customers’
tastes and preferences, competitors, political environment, laws/regulations, and
capital and labor availability.

Business Process and Asset Loss Risks ‘ threats from ineffective or inefficient
business processes for acquiring, financing, transforming, and marketing goods and
services, and threats of loss of firm assets including its reputation.

Information Risks ‘ threats from poor-quality information for decision-making
within the business (i.e., the risk of being misinformed about real-world conditions
due to using measurement methods that are not relevant, from careless or biased
application of measurement methods or their display, or from incomplete information).
Information risk overlaps somewhat with external environment and business process risks
because the risk of being misinformed may be about an external environment, business
processes, or asset loss risk. Information risk also applies to the risk of providing erroneous
or misleading information to outsiders. The latter risks may make management liable for
statements about risk just as it does for bad financial and other information.
(Armour, M., 2000)
Risk analysis ‘ how safe is the system, process or item to be investigated,
Risk evaluation ‘ how safe is safe enough, e.g. by comparing the results of the risk analysis with prescribed safety criteria,
Risk management ‘ how to achieve and ensure an adequate level of safety.

Thus, the results of technical risk assessments are one (often very important) part of an overall risk or safety assessment of an organization. (Berg, H., 2010)

Risk Management: The Internal auditors must evaluate the effectiveness and contribute to the improvement of risk management processes.

Risk Management Processes: The Processes to identify, assess, manage, and control
potential events or situations. The internal auditors can provide reasonable assurance regarding the achievement of the organization’s objectives. The risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:-

1. Support the organizational objectives and achieve the organization’s mission;
2. Significant risks are identified and assessed;
3. Selected appropriate risk responses that with the organization’s risk appetite;
4. The relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management and the board to carry out their responsibilities.

Risk Assessment Processes: Controls are put in place by management to address risks and inherent risks facing the organizations. Risk assessment processes must be established to ensure that risks are identified. The auditors could determine how to effective the process is minimizing the risk of significant misstatement of the financial statements. The risk assessment process must include estimate the significance of the risks, assessing the likelihood of their occurrence and deciding what actions should be taken to reduce the risks in the organizations.

The objectives of the risk management auditing:

– To identify, evaluate, and manage risks that may threaten the achievement of the Company’s business goals.
– To secure personnel and assets, ensure the uninterrupted delivery of products to customers.
– To protect the Company’s reputation, brands, and shareholder value from developments or damage that may undermine the Company’s profitability or adversely affect its assets. (Fiskars Corporation, 2012)

The risk management should be control by CFO and internal audit committee:

The CFO as the co-ordinator of corporate risk management, creates corporate-level risk management principles, develops risk management tools and establishes global insurance policies.
– Business units must adhere to the corporate level policies and proactively contribute to the development of corporate risk management. Risk management function concentrates on:-
‘ (i) evaluation and management of operational risks
‘ (ii) management of financial risk and
‘ (iii) management and safeguard of critical business-related information and assets. (Stonesoft Corporation, 2012)
The internal auditors must evaluate risk exposures relating to the organization’s governance, operations, information systems regarding:-
1. To achieve the organization’s strategic objectives.
2. To reliable and integrity of their financial and operational information.
3. To effectiveness and efficiency of the organization’s operations and programs.
4. To safeguarding of assets.
5. To compliance with laws, regulations, policies, procedures and agreement.
6. The internal auditors must evaluate the potential for the occurrence of fraud and the organization how to manage the fraud risks.
7. The internal auditors must address risk consistent with the engagements objectives and alert to the existence of other risks.
8. The internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk.
9. The internal auditors should assisting the management in establishing or improve their risk management processes.
Internal Auditors seek to expand their corporate cpaabilities:-

"Audit committees and management expect more from internal audit, providing a huge opportunity for internal audit functions to be relevant contributors to protecting stakeholder value and the business from the most critical risks. (Sobel, P., 2008)

Before tackling the specifics of audit approaches, practitioners should consider the environment in which they conduct audits. Every organization operates differently, but all have some type of governance structure. Because internal auditing typically represents an important component of the organization’s governance framework, auditors must understand how governance operates in their organization. Auditor’s Risk Management Guide describes a framework that contains four main components: Board of directors, Stakeholders, Risk Management and Assurance. (Sobel, P., 2008)

Governance and Risk Management:-

Auditor’s Risk Management Guide describes a framework that contains four main components:

‘ Board of directors. Most organizations have a board or similar governing body that is responsible for providing direction to management, empowering management with authority to take actions, and overseeing the overall results of the organization. Although these activities may be carried out by the audit committee, theboard maintains primary responsibility for establishing governance.

‘ Stakeholders. Organizations have avariety of direct and indirect stakeholders,including shareholders,employees, customers, vendors, and regulatory agencies. The board must
familiarize itself with these stakeholders and understand their needs and expectations. Ultimately, the board has fiduciary responsibility to stakeholders.

‘ Risk management. Management carries out the day-to-day execution of the board’s governance direction, which is communicated to and received by senior management but may be delegated to line managers who own the specific risks. These risk owners carry out the organization’s risk management activities.

‘ Assurance. Internal and external auditors provide management and the board with assurances regarding the effectiveness of governance and risk management activities.

(Sobel, Paul, Aug 2008)

The acknowledged to strong corporate governance of managing risk is important since 2008 financial crisis. Organizations are under pressure to identify all the business risks they face with social, ethical and environmental as well as financial and operational. Meanwhile, the use of enterprise-wide risk management frameworks (‘ERM’) has expanded. The organizations recognize their advantages over less coordinated approaches to risk management. Internal auditing in both its assurance and its consulting roles, contributes to the management of risk in a variety of ways.

Enterprise Risk Management Increase Firm Value:

Enterprise-wide risk management (ERM) has emerged as a construct that ostensibly overcomes limitations of silo-based traditional risk management (TRM), yet little is known about its effectiveness. The scant research on the relationship between ERM and firm performance has offered mixed findings and has been limited by the lack of a suitable proxy for the degree of ERM implementation. (McShane M., Nair A. and Rustambekov E., 2011)

Stronger Risk Controls, Lower Risk: Evidence from U.S. Bank Holding Companies:

A strong and independent risk management function can curtail tail risk exposures at banks. (Ellul, A. and Yerramilli, V., 2013)

The internal auditors must assist the organization maintaining effective controls by evaluating their effectiveness and efficiency and continuous improvement. The cost of very higher for the risk management auditing, the risk management auditing must be effectiveness and efficiency.

Adopt the Proper Risk Management Approach:

In ERM, the responsibility for managing risk is spread across all employees. The "enterprise" in ERM includes all employees, management, board of directors, committees, members, the community, and regulators. The more your employees know about the risks your credit union faces, the more they can participate in finding and executing solutions, and in capitalizing on opportunities. (Colletts, J. 2014)

The role of internal auditing in Enterprise-wide risk management:

Internal auditing is an independent, objective assurance and consulting activity. It is the role with regard to Enterprise-wide risk management and to provide objective assurance to the board on the effectiveness of risk management. In fact, the research has shown that board directors and internal auditors agree to the role of internal auditing is to provide value to the organization and achieving the objectives of assurance. The major business risks are being managed appropriately and providing assurance that the risk management and internal control framework is operating effectively.

Some organizations adopt enterprise risk management (ERM) concepts and approaches, while others conduct risk management in a less formal manner. Regardless of how an organization approaches risk management, the internal audit function must understand how risks are managed.

Two Enterprise-wide risk management Frameworks (ERM):

As we mentioned, the two most widely recognized Enterprise-wide risk management frameworks are:

– Enterprise Risk Management’Integrated Framework, issued in September 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and

– ISO 31000 – Risk management’Principles and guidelines, issued in 2009 by the International Organization for Standardization (ISO). ISO 31000: 2009, and guidance documents, such as The IIA’s International Professional Practices Framework (IPPF), the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, the Open Compliance and Ethics Group’s Red Book and others to help their organizations manage risk as well as audit those activi??ties. Using a risk management standard or guidance docu??ments and adapting the respective principles into the orga-nization’s culture and processes is one key to effective risk management.

Both frameworks were developed by internationally recognized thought leadership (COSO) and standards setting (ISO) bodies, and, during development, each received significant input and vetting from a wide range of risk management experts and professionals. As such, both frameworks have received much recognition and are used in practice.
(Frigo, Mark L.; Anderson, Richard J., 2014)

(Institute of Internal Auditors (IIA), 2004)

Internal Audit as a Catalyst

Due to their co-dependant relationship, it is not entirely fair to say that the consulting activities in the Enterprise-wide risk management fan are more important than the assurance activities in the fan. However, the consulting activities provide internal audit with the greatest opportunity to add value to the process. As such, these consulting activities represent the majority of the roles internal audit can assume in an effort to speed up the process of implementation of risk assessment methodology into the corporate governance framework. (John Hall, 2007)

Conclusions:

In the conclusion, since the 2008 financial crisis and the European debt crisis have all been examples called out by regulators and news media evidencing the need for more inclusive, effective risk management practices and oversight. The management and internal auditor should measure the risk, such as risk analysis, risk assessment, risk evaluate and risk management. The management should establish a tone at the top of the organizations that encourages appropriate behavior; top management should communicate these values through a code of conduct, official policies and by example. The employees should possess the skills and knowledge essential to performing their jobs, especially when they are responsible for performing important control functions. The Board of directors or audit committee could be control environment is significantly influenced by the effectiveness of the organization’s objectives.
In the risk assessment, the internal auditors are required that management have a system of risk assessment and management’s process for identifying, analyzing, and responding to risks.

Internal auditors are required that control activities, such as policies and procedures that help ensure that management directives are carried out. They promote actions that address the risks that face the organization, include performance reviews, information processing controls, physical controls, and segregation of duties.
The audit committee are required that monitoring the process used to assess the quality of internal control performance over time. They may be achieved by performing ongoing activities or by separate evaluations. In the ongoing monitoring activities that include regularly performed supervisory and management activities, such as continuous monitoring of customer complaints, or review the reasonableness of management reports. Separate evaluations in the performed on a non-routine basis, such as periodic audits by internal auditors.
The technology has enhanced an organization’s ability to monitor internal controls and risk management.
The risk management auditing is important in the role of internal auditors since financial crisis and the European debt crisis. The role of the internal audit function as envisioned by Enterprise-wide risk management holds great potential for valuable service by internal auditors.

Risk management is a fundamental element of corporate governance. Management is responsible for establishing and operating the risk management framework on behalf of
the board. Enterprise-wide risk management brings many benefits as a result of its
structured, consistent and coordinated approach. Internal auditor’s core role in relation
to ERM should be to provide assurance to management and to the board on the
effectiveness of risk management. When internal auditing extends its activities beyond
this core role, it should apply certain safeguards, including treating the engagements as
consulting services and, therefore, applying all relevant Standards. In this way, internal
auditing will protect its independence and the objectivity of its assurance services.
Within these constraints, ERM can help raise the profile and increase the effectiveness
of internal auditing.

Internal auditing may provide consulting services that improve an organization’s governance, risk management, and control processes. The internal audit activity may undertake are making available to the management tools and techniques used by internal auditing to analyze risks and controls. Internal audit could be a champion for introducing ERM into the organization, leveraging its expertise in risk management and control and its overall knowledge of the organization. Internal audit could provide advice, facilitating workshops, coaching the organization on risk and control and promoting the development of a common language, framework and understanding. The audit committee could be acting as the central point for coordinating, monitoring and reporting on risks; and supporting managers as they work to identify the best way to mitigate a risk.

Recommendation:

In my opinion, the internal audit committee should be more independent to monitoring the management and internal auditors in the organization. The management and internal auditors can use Enterprise-wide risk management (ERM) to identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect organization’s objectives.

The benefit of using ERM for organization:-
It can be greater likelihood of achieving those objectives;
It can be consolidated reporting of disparate risks at board level;
It can be improved understanding of the key risks and their wider implications;
It can be Identified and sharing of cross business risks;
It can be get greater management focus on the issues that really matter;
It will be fewer surprises or crises;
It can be more focus internally on doing the right things in the right way and increased likelihood of change initiatives being achieved;
It can be more capability to take on greater risk for greater reward and more informed risk-taking and decision-making.

The organization by using ERM Framework can be more effectiveness and save the cost in the risk management in the internal controls.

References List:

Armour, M.(2000) ‘Internal Control: Governance Framework and Business Risk Assessment at Reed Elsevier,’ Auditing: A Journal of Practice and Theory, Supplement 2000, pp. 76-
81.

Berg, H. (2010). Risk Management: Procedures, Methods and Experiences. RT&A # 2(17), Vol.1, 2010 June.

Colletts, J. (2014). Adopt the Proper Risk Management Approach. Credit Union Directors Newsletter. Jan2014, Vol. 40 Issue 1, p4-4.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (September 2004), COSO Enterprise Risk Management’Integrated Framework.

Elise Vincent (January 29, 2008), ‘Itin??raire d’un trader presque ordinaire’ (Itinerary of an Almost Ordinary Trader), Le Monde.

Ellul, A. and Yerramilli, V.(2013). Stronger Risk Controls, Lower Risk: Evidence from U.S. Bank Holding Companies. The Journal of Finance, Vol. LXVIII, No. 5, 2013, pp.1757-1803.

Fiskars (2012) Annual Report., Fiskars Corporation. Available from: http://annualreport2012.fiskarsgroup.com/governance/internal-control-risk-management-and-internal-audit (Accessed 5th January 2014)

Institute of Internal Auditors (IIA). 2004. The Role of Internal Auditing in Enterprise
Risk Management (September). Altamonte Springs, FL: The Institute of Internal Auditors.

John Hall (2007) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Enterprise Risk. Available from: https://na.theiia.org/aboutus/Public%20Documents/Sawyer_Award_2007.pdf [Accessed 15 Feb 2014]

McShane, M., Nair, A. and Rustambekov, E. (2011). Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing & Finance, 2011, pp.642-658.

Paul J. Dimaggio and Walter Powell (1991), The New Institutionalism in Organizational Analysis, The University of Chicago Press,Chicago, Ill.

Sobel, P. (2008). Risk Management-based Auditing. Available from:
http://0-eds.a.ebscohost.com.brum.beds.ac.uk/eds/detail?vid=6&sid=ab82ea76-dddf-4f07-885d-7f4b23f48c8c%40sessionmgr4005&hid=4202&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=buh&AN=33832976 [Accessed 10 Feb 2014]

Sobel, P. (2008) Risk Management-based auditing; A new guidance framework can help enhance auditors’ contributions to organizational governance. Available from: http://0-eds.a.ebscohost.com.brum.beds.ac.uk/eds/pdfviewer/pdfviewer?sid=ab82ea76-dddf-4f07-885d-7f4b23f48c8c%40sessionmgr4005&vid=7&hid=4202 [Accessed 10 Feb 2014]

Sobel, Paul.( Aug 2008), Internal Auditor, Vol. 65 Issue 4, p92-93. 2p.
Stonesoft Corporation (2012) Risk Management, Internal Control and Internal Audit (Available from: http://www.stonesoft.com/en/company/investors/corporate_governance/risk_mgmt_and_internal_control/ (Accessed 10th January 2014)